Our Take
Volume-based attack success is not a new vulnerability; it's a math problem dressed as a breach explanation.
Why it matters
Password manager users need to know whether their encryption held or whether attackers obtained plaintext credentials. Dashlane's framing matters because it determines whether you stay or switch.
Do this week
Security teams: audit whether your organization's Dashlane deployment requires password reset, and do it before end of week so you can close the attack window.
Dashlane confirms attackers accessed encrypted vaults
Dashlane published details of how attackers managed to download encrypted password vaults from a large number of users (per Ars Technica). The company did not disclose the total number of accounts affected or the scope of the compromise in the available reporting.
According to Dashlane's statement, attackers increased their success rate by targeting large numbers of users rather than focusing on a smaller set with privileged access. This suggests the breach relied on volume and statistical probability rather than a single catastrophic vulnerability in Dashlane's encryption or key management.
The encrypted vaults themselves remain protected by Dashlane's encryption architecture. The company has not reported that plaintext passwords were extracted or that the encryption was broken. The attack succeeded in obtaining the vaults; decryption status remains unconfirmed in the available source material.
The distinction between access and breach
Dashlane's explanation separates the act of downloading vaults from the ability to read them. If encryption held, the downloaded files are worthless without the decryption key. If encryption failed, you have a plaintext credential leak.
The company's messaging emphasizes the attack method (volume targeting) to suggest the breach was not a flaw in their core security model but rather a successful social engineering or credential-stuffing campaign at scale. Practitioners and users need clarity on whether that distinction holds in practice. A high-volume breach that targets weak user passwords or recovery mechanisms is still a compromise of the vault contents.
This attack pattern also reveals a secondary risk: password managers are valuable targets precisely because they centralize credentials. An attacker willing to target millions of accounts for small success rates only needs a handful of decryptable vaults to profit.
What to do now
If your organization uses Dashlane, treat this as a credential reset event. Assume any password stored in Dashlane during the attack window is potentially exposed, regardless of encryption status. Change critical credentials (cloud admin accounts, email, VPN, multi-factor authentication recovery codes) immediately.
Request Dashlane's timeline of the compromise so you can determine which credentials fall in the affected window. Use this moment to audit whether your team should migrate to an alternative password manager or shift to identity federation and passwordless authentication for enterprise access.
The volume-based attack method also suggests weak signal in Dashlane's anomaly detection or rate-limiting. Ask the company directly about the controls that were or were not in place to flag large-scale unauthorized access patterns.